SlideShare a Scribd company logo
Android Internals
Android Builders Summit – April 13th 2011

            Karim Yaghmour
      karim.yaghmour@opersys.com
             @karimyaghmour
About ...
●   Author of:




●   Introduced Linux Trace Toolkit in 1999
●   Originated Adeos and relayfs (kernel/relay.c)
1. Android Concepts       9. System Server
2. Overall Architecture   10.Activity Manager
3. System startup         11.Binder
4. Linux Kernel           12.Stock AOSP Apps
5. Hardware Support       13.Hacking
6. Native User-Space
7. Dalvik
8. JNI
1. Android Concepts
●   Components
●   Intents
●   Component lifecycle
●   Manifest file
●   Processes and threads
●   Remote procedure calls
1.1. Components
●   1 App = N Components
●   Apps can use components of other applications
●   App processes are automagically started whenever any part
    is needed
●   Ergo: N entry points, !1, and !main()
●   Components:
    ●   Activities
    ●   Services
    ●   Broadcast Receivers
    ●   Content Providers
1.2. Intents
●   Intent = asynchronous message w/ or w/o
    designated target
●   Like a polymorphic Unix signal, but w/o
    required target
●   Intents “payload” held in Intent Object
●   Intent Filters specified in Manifest file
1.3. Component lifecycle
●   System automagically starts/stops/kills
    processes:
    ●   Entire system behaviour predicated on low memory
●   System triggers Lifecycle callbacks when
    relevant
●   Ergo: Must manage Component Lifecycle
●   Some Components are more complex to
    manage than others
1.4. Manifest file
●   Informs system about app’s components
●   XML format
●   Always called AndroidManifest.xml
●   Activity = <activity> ... static
●   Service = <service> ... static
●   Broadcast Receiver:
    ●   Static = <receiver>
    ●   Dynamic = Context.registerReceiver()
●   Content Provider = <provider> ... static
1.5. Processes and threads
●   Processes
    ●   Default: all callbacks to any app Component are issued to the main process thread
    ●   <activity>—<service>—<recipient>—<provider> have process attribute to override
        default
    ●   Do NOT perform blocking/long operations in main process thread:
        –   Spawn threads instead
    ●   Process termination/restart is at system’s discretion
    ●   Therefore:
        –   Must manage Component Lifecycle
●   Threads:
    ●   Create using the regular Java Thread Object
    ●   Android API provides thread helper classes:
        –   Looper: for running a message loop with a thread
        –   Handler: for processing messages
        –   HandlerThread: for setting up a thread with a message loop
1.6. Remote procedure calls
●   Apparently System V IPC is evil ...
●   Android RPCs = Binder mechanism
●   Binder is a low-level functionality, not used as-is
●   Instead: must define interface using Interface
    Definition Language (IDL)
●   IDL fed to aidl Tool to generate Java interface
    definitions
1.7. Development tools
●   SDK:
    ●   android – manage AVDs and SDK components
    ●   apkbuilder – creating .apk packages
    ●   dx – converting .jar to .dex
    ●   adb – debug bridge
    ●   emulator – QEMU-based ARM emulator
    ●   ...
●   Eclipse w/ ADT plugin
●   NDK: GNU toolchain for native binaries
2.1. Overall Architecture - EL
2.2. Overall Architecture - Android
3. System Startup
●   Bootloader
●   Kernel
●   Init
●   Zygote
●   System Server
●   Activity Manager
●   Launcher (Home)
3.1. Bootloader
●   aosp/bootable/bootloader
    ●   Custom bootloader for Android
    ●   USB-based
    ●   Implements the “fastboot” protocol
    ●   Controlled via “fastboot” cli tool on host
●   aosp/bootable/recovery
    ●   UI-based recovery boot program
    ●   Accessed through magic key sequence at boot
    ●   Usually manufacturer specific variant
●   Flash layout:

          0x000003860000­0x000003900000 : "misc"
          0x000003900000­0x000003e00000 : "recovery"
          0x000003e00000­0x000004300000 : "boot"        Kernel
          0x000004300000­0x00000c300000 : "system"      /system
          0x00000c300000­0x0000183c0000 : "userdata"    /data
          0x0000183c0000­0x00001dd20000 : "cache"       /cache
          0x00001dd20000­0x00001df20000 : "kpanic"
          0x00001df20000­0x00001df60000 : "dinfo"
          0x00001df60000­0x00001dfc0000 : "setupdata"
          0x00001dfc0000­0x00001e040000 : "splash1"
          0x000000300000­0x000001680000 : "modem"
                         From Acer Liquid-E
3.2. Kernel
●   Early startup code is very hardware dependent
●   Initializes environment for the running of C code
●   Jumps to the architecture-independent
    start_kernel() function.
●   Initializes high-level kernel subsystems
●   Mounts root filesystem
●   Starts the init process
3.3. Android Init
●   Open, parses, and runs /init.rc:
    ●   Create mountpoints and mount filesystems
    ●   Set up filesystem permissions
    ●   Set OOM adjustments properties
    ●   Start daemons:
        –   adbd
        –   servicemanager (binder context manager)
        –   vold
        –   netd
        –   rild
        –   app_process -Xzygote (Zygote)
        –   mediaserver
        –   ...
3.4. Zygote, etc.
●   Init:
    ●   app_process -Xzygote (Zygote)
●   frameworks/base/cmds/app_process/app_main.cpp:
    ●   runtime.start(“com.android.internal.os.Zygote”, ...
●   frameworks/base/core/jni/AndroidRuntime.cpp:
    ●   startVM()
    ●   Call Zygote's main()
●   frameworks/base/core/java/com/android/internal/os/Zy
    goteInit.java:
    ●   ...
●   preloadClasses()
    ●   startSystemServer()
    ●   ... magic ...
    ●   Call SystemServer's run()
●   frameworks/base/services/java/com/android/server
    /SystemServer.java:
    ●   Start all system services/managers
    ●   Start ActivityManager:
         –   Send Intent.CATEGORY_HOME
         –   Launcher2 kicks in
4. Linux Kernel
4.1. Androidisms
●   Wakelocks
●   lowmem handler
●   Binder
●   ashmem – Anonymous Shared Memory
●   RAM console
●   Logger
●   ...
5. Hardware support
Bluetooth               BlueZ through D-BUS IPC (to avoid GPL contamination it seems)
GPS                     Manufacturer-provided libgps.so
Wifi                    wpa_supplicant
Display                 Std framebuffer driver (/dev/fb0)
Keymaps and Keyboards   Std input event (/dev/event0)
Lights                  Manufacturer-provided liblights.so
     Backlight
     Keyboard
     Buttons
     Battery
     Notifications
     Attention
Audio                   Manufacturer-provided libaudio.so (could use ALSA underneath ... at least as illustrated in their porting guide)
Camera                  Manufacturer-provided libcamera.so (could use V4L2 kernel driver underneath ... as illustrated in porting guide)
Power Management        “Wakelocks” kernel patch
Sensors                 Manufacturer-provided libsensors.so
     Accelerometer
     Magnetic Field
     Orientation
     Gyroscope
     Light
     Pressure
     Temperature
     Proximity
Radio Layer Interface   Manufacturer-provided libril-<companyname>-<RIL version>.so
6. Native User-Space
●   Mainly
    ●   /data    => User data
    ●   /system => System components
●   Also found:
    ●   /cache
    ●   /mnt
    ●   /sbin
    ●   Etc.
●   Libs:
     Bionic, SQLite, SSL, OpenGL|ES,
     Non-Posix: limited Pthreads support, no SysV IPC
●   Toolbox
●   Daemons:
     servicemanager, vold, rild, netd, adbd, ...
7. Dalvik
●   Sun-Java =
        Java language + JVM + JDK libs
●   Android Java =
        Java language + Dalvik + Apache Harmony
●   Target:
    ●   Slow CPU
    ●   Relatively low RAM
    ●   OS without swap space
    ●   Battery powered
●   Now has JIT
7.1. Dalvik's .dex files
●   JVM munches on “.class” files
●   Dalvik munches on “.dex” files
●   .dex file = .class files post-processed by “dx”
    utility
●   Uncompressed .dex = 0.5 * Uncompressed .jar
8. JNI – Java Native Interface
●   Call gate for other languages, such as C, C++
●   Equivalent to .NET's pinvoke
●   Usage: include and call native code from App
●   Tools = NDK ... samples included
●   Check out “JNI Programmer's Guide and
    Specification” - freely available PDF
9. System Server
Entropy Service            Device Policy               Audio Service
Power Manager              Status Bar                  Headset Observer
Activity Manager           Clipboard Service           Dock Observer
Telephone Registry         Input Method Service        UI Mode Manager Service
Package Manager            NetStat Service             Backup Service
Account Manager            NetworkManagement Service   AppWidget Service
Content Manager            Connectivity Service        Recognition Service
System Content Providers   Throttle Service            Status Bar Icons
Battery Service            Accessibility Manager       DiskStats Service
Lights Service             Mount Service               ADB Settings Observer
Vibrator Service           Notification Manager
Alarm Manager              Device Storage Monitor
Init Watchdog              Location Manager
Sensor Service             Search Service
Window Manager             DropBox Service
Bluetooth Service          Wallpaper Service
9.1. Some stats
●   frameworks/base/services/java/com/android/ser
    ver:
    ●   3.5 M
    ●   ~100 files
    ●   85 kloc
●   Activity manager:
    ●   920K
    ●   30+ files
    ●   20 kloc
9.2. Observing with “logcat”
 ●   Find the System Server's PID
          $ adb shell ps | grep system_server
          system 63 32 120160 35408 ffffffff afd0c738 S system_server
 ●   Look for its output:
          $ adb logcat | grep “63)”
...
D/PowerManagerService( 63): bootCompleted
I/TelephonyRegistry( 63): notifyServiceState: 0 home Android Android 310260 UMTS CSS not supp...
I/TelephonyRegistry( 63): notifyDataConnection: state=0 isDataConnectivityPossible=false reason=null interfaceName=null
networkType=3
I/SearchManagerService( 63): Building list of searchable activities
I/WifiService( 63): WifiService trying to setNumAllowed to 11 with persist set to true
I/ActivityManager( 63): Config changed: { scale=1.0 imsi=310/260 loc=en_US touch=3 keys=2/1/2 nav=3/1 ...
I/TelephonyRegistry( 63): notifyMessageWaitingChanged: false
I/TelephonyRegistry( 63): notifyCallForwardingChanged: false
I/TelephonyRegistry( 63): notifyDataConnection: state=1 isDataConnectivityPossible=true reason=simL...
I/TelephonyRegistry( 63): notifyDataConnection: state=2 isDataConnectivityPossible=true reason=simL...
D/Tethering( 63): MasterInitialState.processMessage what=3
I/ActivityManager( 63): Start proc android.process.media for broadcast com.android.providers.downloads/.DownloadReceiver:
pid=223 uid=10002 gids={1015, 2001, 3003}
I/RecoverySystem( 63): No recovery log file
W/WindowManager( 63): App freeze timeout expired.
...
9.3. Snapshot with “dumpsys”
Currently running services:
  SurfaceFlinger
  accessibility
  account
  activity
  alarm
  appwidget
  audio
  backup
...
  wifi
  window
-------------------------------------------------------------------------------
DUMP OF SERVICE SurfaceFlinger:
+ Layer 0x396b90
     z= 21000, pos=( 0, 0), size=( 480, 800), needsBlending=1, needsDithering=1, invalidat ...
0]
     name=com.android.launcher/com.android.launcher2.Launcher
     client=0x391e48, identity=6
     [ head= 1, available= 2, queued= 0 ] reallocMask=00000000, inUse=-1, identity=6, status=0
     format= 1, [480x800:480] [480x800:480], freezeLock=0x0, dq-q-time=53756 us
...
10. ActivityManager
●   Start new Activities, Services
●   Fetch Content Providers
●   Intent broadcasting
●   OOM adj. maintenance
●   Application Not Responding
●   Permissions
●   Task management
●   Lifecycle management
●   Ex. starting new app from Launcher:
      ●   onClick(Launcher)
      ●   startActivity(Activity.java)
      ●   <Binder>
      ●   ActivityManagerService
      ●   startViaZygote(Process.java)
      ●   <Socket>
      ●   Zygote
11. Binder
●   CORBA/COM-like IPC
●   Data sent through “parcels” in “transactions”
●   Kernel-supported mechanism
●   /dev/binder
●   Check /proc/binder/*
●   android.* API connected to System Server
    through binder.
12. Stock AOSP Apps

/packages/apps                            /packages/providers      /packages/inputmethods

AccountsAndSettings    Launcher2          ApplicationProvider      LatinIME
AlarmClock             Mms                CalendarProvider         OpenWnn
Bluetooth              Music              ContactsProvider         PinyinIME
Browser                PackageInstaller   DownloadProvider
Calculator             Protips            DrmProvider
Calendar               Provision          GoogleContactsProvider
Camera                 QuickSearchBox     MediaProvider
CertInstaller          Settings           TelephonyProvider
Contacts               SoundRecorder      UserDictionaryProvider
DeskClock              SpeechRecorder
Email                  Stk
Gallery                VoiceDialer
HTMLViewer
13. Hacking
●   Source:
    ●   AOSP – source.android.com / android.git.kernel.org
    ●   Cyanogenmod – www.cyanogenmod.com
    ●   xdadevelopers – www.xda-developers.com
●   Tools:
    ●   repo / git
    ●   fastboot
    ●   recovery
    ●   Kernel privilege escalation exploits -- “one-click root”
    ●   ...
Thank you ...


karim.yaghmour@opersys.com

More Related Content

What's hot

Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Opersys inc.
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
Linaro
 
Embedded Android : System Development - Part I
Embedded Android : System Development - Part IEmbedded Android : System Development - Part I
Embedded Android : System Development - Part I
Emertxe Information Technologies Pvt Ltd
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
Opersys inc.
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
Embedded Android Workshop with Pie
Embedded Android Workshop with PieEmbedded Android Workshop with Pie
Embedded Android Workshop with Pie
Opersys inc.
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HAL
Opersys inc.
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded Devices
Emertxe Information Technologies Pvt Ltd
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
Nanik Tolaram
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
Emertxe Information Technologies Pvt Ltd
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
National Cheng Kung University
 
Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)
Emertxe Information Technologies Pvt Ltd
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
Emertxe Information Technologies Pvt Ltd
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
Jayanta Ghoshal
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
Ashish Agrawal
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture Overview
Yu-Hsin Hung
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
National Cheng Kung University
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
National Cheng Kung University
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UI
Opersys inc.
 

What's hot (20)

Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
 
Embedded Android : System Development - Part I
Embedded Android : System Development - Part IEmbedded Android : System Development - Part I
Embedded Android : System Development - Part I
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Embedded Android Workshop with Pie
Embedded Android Workshop with PieEmbedded Android Workshop with Pie
Embedded Android Workshop with Pie
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HAL
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded Devices
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
 
Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)Embedded Android : System Development - Part II (HAL)
Embedded Android : System Development - Part II (HAL)
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture Overview
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UI
 

Similar to Android Internals

Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
Opersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
Opersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Leveraging Android's Linux Heritage
Leveraging Android's Linux HeritageLeveraging Android's Linux Heritage
Leveraging Android's Linux Heritage
Opersys inc.
 
Inside Android's UI / ABS 2013
Inside Android's UI / ABS 2013Inside Android's UI / ABS 2013
Inside Android's UI / ABS 2013
Opersys inc.
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
Opersys inc.
 
Porting Android
Porting AndroidPorting Android
Porting Android
Opersys inc.
 
Porting Android ABS 2011
Porting Android ABS 2011Porting Android ABS 2011
Porting Android ABS 2011
Opersys inc.
 
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
Paris Open Source Summit
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
Michael Scovetta
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
pundiramit
 
Android presentation
Android presentationAndroid presentation
Android presentation
Siva Ramakrishna kv
 
Android OS
Android OSAndroid OS
Android OS
Nitin Ramchandani
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
Alison Chaiken
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013
Opersys inc.
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
An Introduction To Android
An Introduction To AndroidAn Introduction To Android
An Introduction To Android
natdefreitas
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

Similar to Android Internals (20)

Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
 
Porting Android
Porting AndroidPorting Android
Porting Android
 
Leveraging Android's Linux Heritage
Leveraging Android's Linux HeritageLeveraging Android's Linux Heritage
Leveraging Android's Linux Heritage
 
Inside Android's UI / ABS 2013
Inside Android's UI / ABS 2013Inside Android's UI / ABS 2013
Inside Android's UI / ABS 2013
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
 
Porting Android
Porting AndroidPorting Android
Porting Android
 
Porting Android ABS 2011
Porting Android ABS 2011Porting Android ABS 2011
Porting Android ABS 2011
 
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
OWF12/PAUG Conf Days Android tools for developpeurs, paul marois, design and ...
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
Android presentation
Android presentationAndroid presentation
Android presentation
 
Android OS
Android OSAndroid OS
Android OS
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013Working with the AOSP - Linaro Connect Asia 2013
Working with the AOSP - Linaro Connect Asia 2013
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
An Introduction To Android
An Introduction To AndroidAn Introduction To Android
An Introduction To Android
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 

More from Opersys inc.

Android Automotive
Android AutomotiveAndroid Automotive
Android Automotive
Opersys inc.
 
Android 10 Internals Update
Android 10 Internals UpdateAndroid 10 Internals Update
Android 10 Internals Update
Opersys inc.
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Opersys inc.
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?
Opersys inc.
 
Embedded Android Workshop with Oreo
Embedded Android Workshop with OreoEmbedded Android Workshop with Oreo
Embedded Android Workshop with Oreo
Opersys inc.
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
Opersys inc.
 
Android Things Internals
Android Things InternalsAndroid Things Internals
Android Things Internals
Opersys inc.
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Opersys inc.
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
Android Things: Android for IoT
Android Things: Android for IoTAndroid Things: Android for IoT
Android Things: Android for IoT
Opersys inc.
 
Android Things Internals
Android Things InternalsAndroid Things Internals
Android Things Internals
Opersys inc.
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
Opersys inc.
 
Brillo / Weave Internals
Brillo / Weave InternalsBrillo / Weave Internals
Brillo / Weave Internals
Opersys inc.
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Opersys inc.
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in Android
Opersys inc.
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
Brillo / Weave Internals
Brillo / Weave InternalsBrillo / Weave Internals
Brillo / Weave Internals
Opersys inc.
 
Project Ara
Project AraProject Ara
Project Ara
Opersys inc.
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Opersys inc.
 

More from Opersys inc. (20)

Android Automotive
Android AutomotiveAndroid Automotive
Android Automotive
 
Android 10 Internals Update
Android 10 Internals UpdateAndroid 10 Internals Update
Android 10 Internals Update
 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?
 
Embedded Android Workshop with Oreo
Embedded Android Workshop with OreoEmbedded Android Workshop with Oreo
Embedded Android Workshop with Oreo
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 
Android Things Internals
Android Things InternalsAndroid Things Internals
Android Things Internals
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
Android Things: Android for IoT
Android Things: Android for IoTAndroid Things: Android for IoT
Android Things: Android for IoT
 
Android Things Internals
Android Things InternalsAndroid Things Internals
Android Things Internals
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 
Brillo / Weave Internals
Brillo / Weave InternalsBrillo / Weave Internals
Brillo / Weave Internals
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in Android
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
Brillo / Weave Internals
Brillo / Weave InternalsBrillo / Weave Internals
Brillo / Weave Internals
 
Project Ara
Project AraProject Ara
Project Ara
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
 

Android Internals

  • 1. Android Internals Android Builders Summit – April 13th 2011 Karim Yaghmour karim.yaghmour@opersys.com @karimyaghmour
  • 2. About ... ● Author of: ● Introduced Linux Trace Toolkit in 1999 ● Originated Adeos and relayfs (kernel/relay.c)
  • 3. 1. Android Concepts 9. System Server 2. Overall Architecture 10.Activity Manager 3. System startup 11.Binder 4. Linux Kernel 12.Stock AOSP Apps 5. Hardware Support 13.Hacking 6. Native User-Space 7. Dalvik 8. JNI
  • 4. 1. Android Concepts ● Components ● Intents ● Component lifecycle ● Manifest file ● Processes and threads ● Remote procedure calls
  • 5. 1.1. Components ● 1 App = N Components ● Apps can use components of other applications ● App processes are automagically started whenever any part is needed ● Ergo: N entry points, !1, and !main() ● Components: ● Activities ● Services ● Broadcast Receivers ● Content Providers
  • 6. 1.2. Intents ● Intent = asynchronous message w/ or w/o designated target ● Like a polymorphic Unix signal, but w/o required target ● Intents “payload” held in Intent Object ● Intent Filters specified in Manifest file
  • 7. 1.3. Component lifecycle ● System automagically starts/stops/kills processes: ● Entire system behaviour predicated on low memory ● System triggers Lifecycle callbacks when relevant ● Ergo: Must manage Component Lifecycle ● Some Components are more complex to manage than others
  • 8. 1.4. Manifest file ● Informs system about app’s components ● XML format ● Always called AndroidManifest.xml ● Activity = <activity> ... static ● Service = <service> ... static ● Broadcast Receiver: ● Static = <receiver> ● Dynamic = Context.registerReceiver() ● Content Provider = <provider> ... static
  • 9. 1.5. Processes and threads ● Processes ● Default: all callbacks to any app Component are issued to the main process thread ● <activity>—<service>—<recipient>—<provider> have process attribute to override default ● Do NOT perform blocking/long operations in main process thread: – Spawn threads instead ● Process termination/restart is at system’s discretion ● Therefore: – Must manage Component Lifecycle ● Threads: ● Create using the regular Java Thread Object ● Android API provides thread helper classes: – Looper: for running a message loop with a thread – Handler: for processing messages – HandlerThread: for setting up a thread with a message loop
  • 10. 1.6. Remote procedure calls ● Apparently System V IPC is evil ... ● Android RPCs = Binder mechanism ● Binder is a low-level functionality, not used as-is ● Instead: must define interface using Interface Definition Language (IDL) ● IDL fed to aidl Tool to generate Java interface definitions
  • 11. 1.7. Development tools ● SDK: ● android – manage AVDs and SDK components ● apkbuilder – creating .apk packages ● dx – converting .jar to .dex ● adb – debug bridge ● emulator – QEMU-based ARM emulator ● ... ● Eclipse w/ ADT plugin ● NDK: GNU toolchain for native binaries
  • 14. 3. System Startup ● Bootloader ● Kernel ● Init ● Zygote ● System Server ● Activity Manager ● Launcher (Home)
  • 15. 3.1. Bootloader ● aosp/bootable/bootloader ● Custom bootloader for Android ● USB-based ● Implements the “fastboot” protocol ● Controlled via “fastboot” cli tool on host ● aosp/bootable/recovery ● UI-based recovery boot program ● Accessed through magic key sequence at boot ● Usually manufacturer specific variant
  • 16. Flash layout: 0x000003860000­0x000003900000 : "misc" 0x000003900000­0x000003e00000 : "recovery" 0x000003e00000­0x000004300000 : "boot" Kernel 0x000004300000­0x00000c300000 : "system" /system 0x00000c300000­0x0000183c0000 : "userdata" /data 0x0000183c0000­0x00001dd20000 : "cache" /cache 0x00001dd20000­0x00001df20000 : "kpanic" 0x00001df20000­0x00001df60000 : "dinfo" 0x00001df60000­0x00001dfc0000 : "setupdata" 0x00001dfc0000­0x00001e040000 : "splash1" 0x000000300000­0x000001680000 : "modem" From Acer Liquid-E
  • 17. 3.2. Kernel ● Early startup code is very hardware dependent ● Initializes environment for the running of C code ● Jumps to the architecture-independent start_kernel() function. ● Initializes high-level kernel subsystems ● Mounts root filesystem ● Starts the init process
  • 18. 3.3. Android Init ● Open, parses, and runs /init.rc: ● Create mountpoints and mount filesystems ● Set up filesystem permissions ● Set OOM adjustments properties ● Start daemons: – adbd – servicemanager (binder context manager) – vold – netd – rild – app_process -Xzygote (Zygote) – mediaserver – ...
  • 19. 3.4. Zygote, etc. ● Init: ● app_process -Xzygote (Zygote) ● frameworks/base/cmds/app_process/app_main.cpp: ● runtime.start(“com.android.internal.os.Zygote”, ... ● frameworks/base/core/jni/AndroidRuntime.cpp: ● startVM() ● Call Zygote's main() ● frameworks/base/core/java/com/android/internal/os/Zy goteInit.java: ● ...
  • 20. preloadClasses() ● startSystemServer() ● ... magic ... ● Call SystemServer's run() ● frameworks/base/services/java/com/android/server /SystemServer.java: ● Start all system services/managers ● Start ActivityManager: – Send Intent.CATEGORY_HOME – Launcher2 kicks in
  • 22. 4.1. Androidisms ● Wakelocks ● lowmem handler ● Binder ● ashmem – Anonymous Shared Memory ● RAM console ● Logger ● ...
  • 23. 5. Hardware support Bluetooth BlueZ through D-BUS IPC (to avoid GPL contamination it seems) GPS Manufacturer-provided libgps.so Wifi wpa_supplicant Display Std framebuffer driver (/dev/fb0) Keymaps and Keyboards Std input event (/dev/event0) Lights Manufacturer-provided liblights.so Backlight Keyboard Buttons Battery Notifications Attention Audio Manufacturer-provided libaudio.so (could use ALSA underneath ... at least as illustrated in their porting guide) Camera Manufacturer-provided libcamera.so (could use V4L2 kernel driver underneath ... as illustrated in porting guide) Power Management “Wakelocks” kernel patch Sensors Manufacturer-provided libsensors.so Accelerometer Magnetic Field Orientation Gyroscope Light Pressure Temperature Proximity Radio Layer Interface Manufacturer-provided libril-<companyname>-<RIL version>.so
  • 24. 6. Native User-Space ● Mainly ● /data => User data ● /system => System components ● Also found: ● /cache ● /mnt ● /sbin ● Etc.
  • 25. Libs: Bionic, SQLite, SSL, OpenGL|ES, Non-Posix: limited Pthreads support, no SysV IPC ● Toolbox ● Daemons: servicemanager, vold, rild, netd, adbd, ...
  • 26. 7. Dalvik ● Sun-Java = Java language + JVM + JDK libs ● Android Java = Java language + Dalvik + Apache Harmony ● Target: ● Slow CPU ● Relatively low RAM ● OS without swap space ● Battery powered ● Now has JIT
  • 27. 7.1. Dalvik's .dex files ● JVM munches on “.class” files ● Dalvik munches on “.dex” files ● .dex file = .class files post-processed by “dx” utility ● Uncompressed .dex = 0.5 * Uncompressed .jar
  • 28. 8. JNI – Java Native Interface ● Call gate for other languages, such as C, C++ ● Equivalent to .NET's pinvoke ● Usage: include and call native code from App ● Tools = NDK ... samples included ● Check out “JNI Programmer's Guide and Specification” - freely available PDF
  • 29. 9. System Server Entropy Service Device Policy Audio Service Power Manager Status Bar Headset Observer Activity Manager Clipboard Service Dock Observer Telephone Registry Input Method Service UI Mode Manager Service Package Manager NetStat Service Backup Service Account Manager NetworkManagement Service AppWidget Service Content Manager Connectivity Service Recognition Service System Content Providers Throttle Service Status Bar Icons Battery Service Accessibility Manager DiskStats Service Lights Service Mount Service ADB Settings Observer Vibrator Service Notification Manager Alarm Manager Device Storage Monitor Init Watchdog Location Manager Sensor Service Search Service Window Manager DropBox Service Bluetooth Service Wallpaper Service
  • 30. 9.1. Some stats ● frameworks/base/services/java/com/android/ser ver: ● 3.5 M ● ~100 files ● 85 kloc ● Activity manager: ● 920K ● 30+ files ● 20 kloc
  • 31. 9.2. Observing with “logcat” ● Find the System Server's PID $ adb shell ps | grep system_server system 63 32 120160 35408 ffffffff afd0c738 S system_server ● Look for its output: $ adb logcat | grep “63)” ... D/PowerManagerService( 63): bootCompleted I/TelephonyRegistry( 63): notifyServiceState: 0 home Android Android 310260 UMTS CSS not supp... I/TelephonyRegistry( 63): notifyDataConnection: state=0 isDataConnectivityPossible=false reason=null interfaceName=null networkType=3 I/SearchManagerService( 63): Building list of searchable activities I/WifiService( 63): WifiService trying to setNumAllowed to 11 with persist set to true I/ActivityManager( 63): Config changed: { scale=1.0 imsi=310/260 loc=en_US touch=3 keys=2/1/2 nav=3/1 ... I/TelephonyRegistry( 63): notifyMessageWaitingChanged: false I/TelephonyRegistry( 63): notifyCallForwardingChanged: false I/TelephonyRegistry( 63): notifyDataConnection: state=1 isDataConnectivityPossible=true reason=simL... I/TelephonyRegistry( 63): notifyDataConnection: state=2 isDataConnectivityPossible=true reason=simL... D/Tethering( 63): MasterInitialState.processMessage what=3 I/ActivityManager( 63): Start proc android.process.media for broadcast com.android.providers.downloads/.DownloadReceiver: pid=223 uid=10002 gids={1015, 2001, 3003} I/RecoverySystem( 63): No recovery log file W/WindowManager( 63): App freeze timeout expired. ...
  • 32. 9.3. Snapshot with “dumpsys” Currently running services: SurfaceFlinger accessibility account activity alarm appwidget audio backup ... wifi window ------------------------------------------------------------------------------- DUMP OF SERVICE SurfaceFlinger: + Layer 0x396b90 z= 21000, pos=( 0, 0), size=( 480, 800), needsBlending=1, needsDithering=1, invalidat ... 0] name=com.android.launcher/com.android.launcher2.Launcher client=0x391e48, identity=6 [ head= 1, available= 2, queued= 0 ] reallocMask=00000000, inUse=-1, identity=6, status=0 format= 1, [480x800:480] [480x800:480], freezeLock=0x0, dq-q-time=53756 us ...
  • 33. 10. ActivityManager ● Start new Activities, Services ● Fetch Content Providers ● Intent broadcasting ● OOM adj. maintenance ● Application Not Responding ● Permissions ● Task management ● Lifecycle management
  • 34. Ex. starting new app from Launcher: ● onClick(Launcher) ● startActivity(Activity.java) ● <Binder> ● ActivityManagerService ● startViaZygote(Process.java) ● <Socket> ● Zygote
  • 35. 11. Binder ● CORBA/COM-like IPC ● Data sent through “parcels” in “transactions” ● Kernel-supported mechanism ● /dev/binder ● Check /proc/binder/* ● android.* API connected to System Server through binder.
  • 36.
  • 37. 12. Stock AOSP Apps /packages/apps /packages/providers /packages/inputmethods AccountsAndSettings Launcher2 ApplicationProvider LatinIME AlarmClock Mms CalendarProvider OpenWnn Bluetooth Music ContactsProvider PinyinIME Browser PackageInstaller DownloadProvider Calculator Protips DrmProvider Calendar Provision GoogleContactsProvider Camera QuickSearchBox MediaProvider CertInstaller Settings TelephonyProvider Contacts SoundRecorder UserDictionaryProvider DeskClock SpeechRecorder Email Stk Gallery VoiceDialer HTMLViewer
  • 38. 13. Hacking ● Source: ● AOSP – source.android.com / android.git.kernel.org ● Cyanogenmod – www.cyanogenmod.com ● xdadevelopers – www.xda-developers.com ● Tools: ● repo / git ● fastboot ● recovery ● Kernel privilege escalation exploits -- “one-click root” ● ...